Trust Assessment
pptx received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 6 critical, 11 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/pptx/ooxml/scripts/pack.py:103 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/pptx/ooxml/scripts/validation/redlining.py:153 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/pptx/ooxml/scripts/validation/redlining.py:185 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/pptx/scripts/thumbnail.py:219 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | document-skills/pptx/scripts/thumbnail.py:237 | |
| CRITICAL | Path Traversal Vulnerability in ZIP Extraction The `unpack.py` script uses `zipfile.ZipFile(...).extractall(output_path)` with a user-controlled `input_file`. If the `input_file` (a .pptx archive) is malicious and contains path traversal sequences (e.g., `../../`), it can extract files to arbitrary locations outside the specified `output_path`, potentially overwriting system files or sensitive data. Sanitize the contents of the ZIP archive before extraction, or use a library/method that explicitly prevents path traversal. A common approach is to validate each member's name before extraction to ensure it does not contain `..` or absolute paths. | LLM | ooxml/scripts/unpack.py:19 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/pptx/ooxml/scripts/pack.py:144 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/pptx/scripts/html2pptx.js:884 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/pptx/scripts/inventory.py:5 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/pptx/scripts/inventory.py:117 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | document-skills/pptx/scripts/rearrange.py:8 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'validate_document'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/pptx/ooxml/scripts/pack.py:103 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/pptx/ooxml/scripts/validation/redlining.py:153 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_get_git_word_diff'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/pptx/ooxml/scripts/validation/redlining.py:185 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/pptx/scripts/thumbnail.py:219 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'convert_to_images'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | document-skills/pptx/scripts/thumbnail.py:237 | |
| HIGH | Data Exfiltration via Local File Inclusion in HTML Processing The `html2pptx.js` script processes user-provided HTML content. The `addImage` function directly uses `el.src` from the HTML as an `imagePath` for `targetSlide.addImage()`. If a malicious user provides an HTML slide with an image source like `file:///etc/passwd` or `../../../../sensitive.png`, the script could attempt to read and embed arbitrary local files into the generated PowerPoint presentation, leading to data exfiltration. Implement strict validation and sanitization for all `src` attributes in user-provided HTML. Only allow `http(s)://` URLs or enforce a whitelist of allowed local paths. Prevent `file://` URLs and path traversal sequences (`../`). | LLM | scripts/html2pptx.js:122 | |
| MEDIUM | Potential Command Injection via External Binary Calls with User-Controlled Paths Multiple Python scripts execute external binaries (`soffice`, `pdftoppm`) using `subprocess.run`. While arguments are passed as a list (safer than `shell=True`), user-controlled file paths (`doc_path`, `input_path`, `image_prefix`) are included directly. If these external binaries are vulnerable to specially crafted filenames (e.g., containing shell metacharacters or interpreted as command-line options), it could lead to arbitrary command execution. This risk is higher if the external binaries themselves have known vulnerabilities in argument parsing. Ensure all user-controlled paths passed to external binaries are thoroughly sanitized to prevent any interpretation as commands or options. Consider using a wrapper or a more robust library if direct `subprocess` calls are unavoidable. Additionally, ensure `soffice` and `pdftoppm` are up-to-date and patched against known vulnerabilities. | LLM | ooxml/scripts/pack.py:90 | |
| MEDIUM | Potential Command Injection via External Binary Calls with User-Controlled Paths Multiple Python scripts execute external binaries (`soffice`, `pdftoppm`) using `subprocess.run`. While arguments are passed as a list (safer than `shell=True`), user-controlled file paths (`doc_path`, `input_path`, `image_prefix`) are included directly. If these external binaries are vulnerable to specially crafted filenames (e.g., containing shell metacharacters or interpreted as command-line options), it could lead to arbitrary command execution. This risk is higher if the external binaries themselves have known vulnerabilities in argument parsing. Ensure all user-controlled paths passed to external binaries are thoroughly sanitized to prevent any interpretation as commands or options. Consider using a wrapper or a more robust library if direct `subprocess` calls are unavoidable. Additionally, ensure `soffice` and `pdftoppm` are up-to-date and patched against known vulnerabilities. | LLM | scripts/thumbnail.py:160 | |
| LOW | Excessive Permissions: Arbitrary File Write to User-Controlled Paths Several scripts (e.g., `pack.py`, `inventory.py`, `rearrange.py`, `replace.py`, `thumbnail.py`) accept user-controlled arguments for output file paths (`output_file`, `output.json`, `output.pptx`, `output_prefix`). This allows the AI agent, if manipulated by a malicious prompt, to write or overwrite files in arbitrary locations on the filesystem. While not a direct code vulnerability, it represents an excessive permission that could be abused for denial-of-service (e.g., filling disk space) or data corruption if the agent is tricked into writing to sensitive system directories. Restrict the AI agent's ability to specify arbitrary output paths. Implement a whitelist of allowed output directories or enforce that all output must be written to a designated, sandboxed workspace directory. Validate and sanitize all user-provided output paths to prevent directory traversal (`../`) and absolute paths outside the allowed scope. | LLM | ooxml/scripts/pack.py:20 |
Scan History
Embed Code
[](https://skillshield.io/report/8b99dd1e9a067ba3)
Powered by SkillShield